ROLE-BASED ACCESS CONTROL ON THE WEB

23 slides
0.11 MB
437 views

Similar Presentations

Presentation Transcript

1

ROLE-BASED ACCESS CONTROL ON THE WEBLI LINGTAO OCT 14 ,2003

2

CONTENTBACKGROUND (MAC, DAC) Role-Based Access Control Implementation of the RBAC on the Web

3

Mandatory Access Control (MAC)MAC ,as defined in the Department of Defense Trusted Computer System Evaluation Criteria, is “A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects to access information of such sensitivity.”

4

Discretionary Access Control (DAC) Capabilities Profiles Passwords Protection Bits (UNIX) Access Control List (ACL) e.g. file A: (Alice, {r, w}), (Bob, {r}), (Dept {w})

5

Role-Based Access Control (RBAC)With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

6

RBAC Model Users are associated with role(s) ,e.g., Jacky: doctor. Roles are associated with privileged operation(s), e.g., doctor: prescribe_drugs, order_tests A user has access to a privileged operation only if the user has an authorized role which is associated with that privileged operation.

7

RBAC MODEL Role HierarchyRolesUsersPrivileges

8

RBAC Model :Role RelationshipsRoles may be related hierarchically, e.g., surgeon doctor. Roles may have conflict of interest relationships : -- Static Separation of Duties (SSD), e.g., comptroller and auditor cannot be authorized for the same user. --Dynamic Separation of Duties (DSD), e.g., teller and account_holder can be authorized for the same user but cannot both be active. The number of users authorized for a given role may be limited by the cardinality of that role ,e.g., president has cardinality one.

9

Role Relationships Example :BankFinancial_advisorAccount_repBranch_managerInternal_auditorTeller Account_holderemployeeInvited_guestvisitor

10

RBAC on the WWWProblem: Administrators view organizations in terms of individuals and their roles. Access to the WWW is enforced by group and access control list (ACL) mechanisms. Administrators must map their organizational view to these mechanisms.

11

RBAC on the WWWSolution: role based access control Access based on user’s organizational role , e.g., doctor, nurse ,bank teller Higher level of abstraction compared to commonly used access control mechanisms , e.g., MLS An administrator’s organizational view IS the access control mechanism. => RBAC valuable for “intra-net” enterprise use of WWW

12

Security Administration with RBACFor each role :assign privileges operations, e.g., Doctor: prescribe_drugs ,order_tests To give privileges to a user :assign role(s) to user , e.g., Mike: broker, manager, cheat. To remove a user’s privileges : remove role(s) from user, e.g., Mike: cheat

13

Goals for RBAC on the WWWImplementation of RBAC on the WWW (RBAC/Web). RBAC conformance test assertions, i.e., abstract test suite. Testing software to validate RBAC/Web conformance to test assertions.

14

RBAC/Web ImplementationUses existing WWW technology. Can be used with any browser. Can be used with any authentication mechanism, e.g., SSL, SHTTP, PCT. Privileged operations are HTTP methods, e.g., GET, POST, PUT. Available for Unix (e.g., Netscape, Apache) and Windows NT (e.g., IIS, Website)

15

RBAC/Web ComponentUnix & NT: Database Definition Admin Tool Database Server Session Manager Unix Only: API Library CGI

16

RBAC/Web Database DefinitionData sets which specify: Association between users and their roles. Role hierarchy. SSD relationships. DSD relationships. ARSs( active role sets) Association between WWW server files, HTTP methods ,and roles.

17

RBAC/Web Admin ToolAccessed by means of a WWW browser. Creates users and roles . Associates users with roles and roles with HTTP methods applies to files . Specifies roles relationships, i.e., hierarchy, SSD, DSD.

18

RBAC/Web Database ServerHosts the authoritative copies of the data sets defining users ,roles ,and role relationships. Notifies WWW servers to update their cached of these data sets when authoritative copies change.

19

RBAC/Web Session ManagerManages the RBAC Session. Creates and removes users’ active role sets.

20

RBAC/Web API LibraryC and Perl Library Used by WWW servers and CGIs to access the RBAC/Web Database . Some WWW servers ,e.g., Netscape ,Apache, need not be recompiled.

21

RBAC/Web CGIImplements RBAC on the WWW as a CGI. Existing WWW servers need not be modified.

22

RBAC/Web Usebrowserestablish RBAC sessionpresent ARS choiceschoose ARSuserSession establishedURL responseweb serverRBAC Database (cached)

23

References J. Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila, , D.R. Kuhn, "Role Based Access Control for the World Wide Web" , 20th National Computer Security Conference (1997) J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V. Cincotta, "Role-Based Access Control for the Web" , CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium (1998).

Browse More Presentations

Last Updated: 8th March 2018

Recommended PPTs